Classification

Rule Name

Rule Type

Common Event

Classification

Catch All : VSS MessagesBase RuleGeneral VSS InformationInformation
EVID 8219 : VSS File Expanding TimeoutSub RuleVSS Service TimeoutInformation
EVID 8220 : VSS File Delete TimeoutSub RuleVSS Service TimeoutInformation
EVID 8224 : VSS Idle TimeoutSub RuleVSS Service TimeoutInformation
EVID 8225 : VSS Shutting DownSub RuleGeneral VSS InformationInformation
EVID 12289 : VSS ErrorSub RuleGeneral VSS ErrorError

Sample Logs

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='VSS'/><EventID Qualifiers='0'>12289</EventID><Level>Error</Level><Task>None</Task><Keywords>Classic</Keywords><TimeCreated SystemTime='2016-11-17T08:31:45.000000000Z'/><EventRecordID>398918</EventRecordID><Channel>Application</Channel><Computer>_destinationHostname</Computer><Security/></System><EventData><Data>DeviceIoControl(\\?\fdc#generic_floppy_drive#6&3b4c39bd&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} - 0000000000000408,0x00560000,0000000000000000,0,0000004DF1DA2180,4096,[0])</Data><Data>0x80070001, Incorrect function.

</Data><Data>

Operation:
Exposing Recovered Volumes
Locating shadow-copy LUNs
PostSnapshot Event
Executing Asynchronous Operation

Context:
Device: \\?\fdc#generic_floppy_drive#cxxxxxxxxxxx#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Examining Detected Volume: Existing - \\?\fdc#generic_floppy_drive#6&3b4c39bd&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Execution Context: Provider
Provider Name: VMware Snapshot Provider
Provider Version: 1.0.0
Provider ID: {564d7761-7265-2056-5353-2050726f7669}
Current State: DoSnapshotSet</Data><Binary>2D20436F64653A20494E434943484C4830303030303532312D2043616C6C3A20434F52485755544330303030303131372D205049443A202030303030343134302D205449443A202030303030313539322D20434D443A2020433A5C57696E646F77735C73797374656D33325C76737376632E6578652020202D20557365723A204E616D653A204E5420415554484F524954595C53595354454D2C205349443A532D312D352D313820</Binary></EventData></Event>

Mapping with LogRhythm Schema  

Device Key in Log Message

Log Value

LogRhythm Schema

Data Type

Provider nameVSS<vendorinfo>Text/String
Eventid12289<vmid>Number
LevelError<severity>Text/String
Computer_destinationHostname<dname>Text/String